fix(middleware): escape and clean path for the skipper (#10674)

1. Escape and clean request path for `legacyAPISkipper`.
2. Escape and clean request path for `MethodAndPathSkipper`.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit is contained in:
He Weiwei 2020-02-11 22:29:55 +08:00 committed by GitHub
parent d66c1a4a21
commit 75bbf9d0bf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 2 deletions

View File

@ -16,6 +16,7 @@ package middlewares
import (
"net/http"
"path"
"regexp"
"strings"
@ -37,8 +38,9 @@ var (
// legacyAPISkipper skip middleware for legacy APIs
func legacyAPISkipper(r *http.Request) bool {
path := path.Clean(r.URL.EscapedPath())
for _, prefix := range []string{"/v2/", "/api/v2.0/"} {
if strings.HasPrefix(r.URL.Path, prefix) {
if strings.HasPrefix(path, prefix) {
return false
}
}

View File

@ -41,3 +41,27 @@ func Test_fetchBlobAPISkipper(t *testing.T) {
})
}
}
func Test_legacyAPISkipper(t *testing.T) {
type args struct {
r *http.Request
}
tests := []struct {
name string
args args
want bool
}{
{"/api/v2.0/projects", args{httptest.NewRequest(http.MethodGet, "/api/v2.0/projects", nil)}, false},
{"//api/v2.0/projects", args{httptest.NewRequest(http.MethodGet, "//api/v2.0/projects", nil)}, false},
{"/api/v2.0//projects", args{httptest.NewRequest(http.MethodGet, "/api/v2.0//projects", nil)}, false},
{"/v2/library/photon/tags", args{httptest.NewRequest(http.MethodGet, "/v2/library/photon/tags", nil)}, false},
{"/api/projects", args{httptest.NewRequest(http.MethodGet, "/api/projects", nil)}, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := legacyAPISkipper(tt.args.r); got != tt.want {
t.Errorf("legacyAPISkipper() = %v, want %v", got, tt.want)
}
})
}
}

View File

@ -16,6 +16,7 @@ package middleware
import (
"net/http"
"path"
"regexp"
)
@ -28,7 +29,8 @@ type Skipper func(*http.Request) bool
// when method is "*" it equals all http method
func MethodAndPathSkipper(method string, re *regexp.Regexp) func(r *http.Request) bool {
return func(r *http.Request) bool {
if (method == "*" || r.Method == method) && re.MatchString(r.URL.Path) {
path := path.Clean(r.URL.EscapedPath())
if (method == "*" || r.Method == method) && re.MatchString(path) {
return true
}